I recently wrote an article that said security consultants should send surveys ahead of time to cut down on the interview time. The survey is more convenient, and it’s an easy data-driven way to collect objective information. I got some pushback for that. Here’s why.
Most consultants get it—they see the benefits from a data-driven approach. But I often get objections from people who say you can’t summarize a security consultant’s entire professional expertise in a single questionnaire. These consultants are worried about being so objective that their unique experience gets thrown out the window. They’re afraid of being replaced by a survey.
Objective Data or Subjective Expertise?
Questionnaires aren’t supposed to be an all-encompassing solution. But when you’re dealing with regulatory compliance, you’re either compliant or you aren’t. That’s an objective measure, and you don’t need to have specialized, subjective experience to check that box.
Is there value in your subjective and unique expertise? Yes, of course. A high school in East Detroit is different from a high school in Dubuque, Iowa. Different environments have unique quirks, and a security consultant’s years of expertise is incredibly valuable in sussing out the implications of those differences.
But the risk assessment industry must become more objective so that we can begin to collect meaningful risk data. It’s critical to analyze that data so we can understand risk more comprehensively.
And frankly, this kind of data collection and analysis is long overdue. If the risk assessment industry continues to rely only on subjective processes and methods, we’ll never truly understand risk. At that point, subjectivity becomes an excuse, not an advantage.
Steps Toward a Data-Driven Industry
What would it look like for the security industry to become data-driven? Here are some thoughts.
1) Establish a methodology
The risk assessment industry needs to start data mining by comparing apples to apples. Not all facilities are the same, but not everything is different. For example, a door is a door, and a lock is a lock. It doesn’t matter what type of door your customers have if they’re leaving it propped open for cigarette breaks.
We need to create a method to understand the dependent and independent variables in each circumstance. Yes, there are a lot of variables and factors to consider when performing a risk analysis. What are the threats and hazards? How does geographic location affect those threats or hazards? What countermeasures are in place to deter, delay, protect, and/or prevent such incidents?
But with a true method, we can break down the overall analysis to specific variables, and use these variables to understand each building independently of one another or as a whole by sector or location. Data is the key to truly understanding risk.
2) Standardize requirements
We need to develop a set of standards that are universally accepted, with minimum baselines for all facilities in each sector. There need to be consequences for non-compliance, just as OSHA and NAFTA have. If we don’t establish a standard baseline, we will continue to see issues that could be prevented by practicing basic security functions.
3) Start collecting your own data
You don’t need to wait for industry standards to make a difference. With the right technology, you can collect objective data quickly and easily. Circadian Risk software stores your data in the cloud and makes it possible to combine and analyze data from multiple franchise sites. You can give your customers objective baseline data about all of their facilities, not just one or two of them.
As security consultants use Circadian Risk, that objective data can be made available (anonymously) at the industry level, to provide baseline reporting across sectors, regions, facility size, and more.
Objectivity PLUS Subjectivity
An objective survey isn’t intended to summarize your entire professional experience. No questionnaire can replace the expertise of a security consultant—nor should it. Instead, objective data adds an entirely new dimension to your overall value, giving you more tools to help your customers reduce their risk. Don’t spend all your time on identifying the issues, but on creating solutions to the problems. With technology, we can finally put the focus on correcting issues.
Find out how Circadian Risk can make you a more complete security expert—schedule a personalized demo today.